Zimbra Forums

Hi folks,
just had a closer look at the SMIME stuff (NE feature), and was quite a bit shocked, what's going on here.
Let's dig a bit in com_zimbra_smime.jarx:
Manifest declares:

Permissions: all-permissions


That means nothing less than that the applet requires _FULL LOCAL PERMISSIONS_ on the Client

machine. So, it can do _ANYTHING_ that the local user can do, if the user allows the applet to be run.
And it gets even worse:
It also deploys _MACHINE CODE_, which of course can do whatever it wants with the local machine

(at least the current user account), without the user having any control whatsoever.

(see ./com/zimbra/smime/native/* inside the jarx file)
From a security pov this is TOTALLY INACCEPTABLE.
This is like giving an arbitrary postal/shipping (more precisely: the company who's building their cars)

the master key to your house !


We seriously considered rolling out Zimbra SMIME on certain large installations.

I'm really glad that I detected that early enough to stop the whole project.

[quote user="10119metux"]just had a closer look at the SMIME stuff (NE feature), and was quite a bit shocked, what's going on here.[/quote]If you have a problem to report then file a bug report, that is the correct place for it and not these forums. By all means discuss the problem in the forums but without bug report there's a possibility it may get missed. This is also posted in the wrong forum, I'll move it.

[quote user="10330phoenix"]

If you have a problem to report then file a bug report,

[/QUOTE]
It's not just a bug, it's a major design flaw - the whole approach is completely wrong.
[quote user="10330phoenix"]

that is the correct place for it and not these forums.

[/QUOTE]
I've put it into the user forum for a good reason: warn the users (yes, especially end-users!)

not to ever even consider using it.
In fact, such serious misdesigns deserve a headline article @slashdot, heise, etc.
[quote user="10330phoenix"]

By all means discuss the problem in the forums but without bug report there's a possibility it may get missed.

[/QUOTE]
Here it is:

In">https://bugzilla.zimbra.com/show_bug.cgi?id=92142
In fact, I wouldn't be surprised at all, if it gets closed WONTFIX quickly ... ;-o

[quote user="10119metux"]It's not just a bug, it's a major design flaw - the whole approach is completely wrong.[/quote]Then it still belongs in bugzilla perhaps as an RFE?
[quote user="10119metux"]I've put it into the user forum for a good reason: warn the users (yes, especially end-users!)

not to ever even consider using it.[/quote]That's OK but you still should file a bug report (0rRFE).
[quote user="10119metux"]In fact, I wouldn't be surprised at all, if it gets closed WONTFIX quickly ... ;-o[/QUOTE]Really, are your bug reports that bad or is this just fortune telling?